CVE-2022-34960

Exploit

EPSS 0.53%
Veröffentlicht 25.08.2022 02:15:19
Zuletzt bearbeitet 21.11.2024 07:10:28
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The container package in MikroTik RouterOS 7.4beta4 allows an attacker to create mount points pointing to symbolic links, which resolve to locations on the host device. This allows the attacker to mount any arbitrary file to any location on the host.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mikrotik ≫ Routeros Version7.4 Updatebeta4 SwEdition-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.53%	0.669

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://nns.ee/blog/2022/06/21/routeros-container-rce.html

Broken Link

https://nns.ee/blog/2022/08/05/routeros-container-rce.html

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2022-34960

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-34960

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-34960

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-34960